[c-nsp] private vlan trouble?

Matt Buford matt at overloaded.net
Fri Sep 29 23:06:33 EDT 2006


>I have the following private vlan configuration:
>
> What do I have to do in order for the networks sitting behind router1 and
> router2
> to talk to each other.
>
> I have verified that both routers have the correct routes on their routing
> table

I don't think you provide enough information about what you want to 
accomplish.  What are these "correct" routes?  The whole point of a private 
vlan configuration is that host ports can never speak to host ports - at 
all.  Host ports may speak to a promiscuous port.  So, if you have a third 
router marked as promiscuous, you can tell router 1 to reach router 2 via 
router 3.  If neither router is promiscuous and you have no other 
promiscuous router to act as a go-between, then you have no way for 
communication to happen.

In my case, I have 6500 with MSFCs as promiscuous default-gateway routers 
for my private vlan full of many customer servers, firewalls, and routers. 
Host port A can never speak to host port B.  However, A can route traffic to 
B via the default gateway.  The hosts must have their routing tables set so 
that they route traffic to each other via the gateway - not directly with 
ARP.

This can be expanded on by enabling "local proxy arp", which causes the 
gateway router to answer all ARPs with its own MAC - even those in the same 
subnet.  So, if host A is 10.0.0.10/24 and host B is 10.0.0.20/24, when A 
arps for B the gateway (say 10.0.0.1/24) actually answers with its own MAC. 
The end result of this is host ports become able to communicate with each 
other automatically - but only via the router.  You can then ACL this router 
interface however you want.  Hosts aren't bother by broadcasts from other 
hosts, and no host can IP conflict with the gateway.  This is what I use.

It isn't as secure as a true VLAN-per-customer configuration, but it sure 
beats a regular flat shared VLAN. 



More information about the cisco-nsp mailing list